Network security management is becoming a more difficult problem as networks grow in size and become a more integral part of organizational operations. Attacks on networks are growing both due to the intellectual challenge such attacks represent for hackers and due to the increasing payoff for the serious attacker. Furthermore, the attacks are growing beyond the current capability of security management tools to identify and quickly respond to those attacks. As various attack methods are tried and ultimately repulsed, the attackers will attempt new approaches with more subtle attack features. Thus, maintaining network security is an on-going, ever changing, and increasingly complex problem.
Computer network attacks can take many forms and any one attack may include many security events of different types. Security events are anomalous network conditions each of which may cause an anti-security effect to a computer network. Security events including stealing confidential or private information; producing network damage through mechanisms such as viruses, worms, or Trojan horses; overwhelming the network's capability in order to cause denial of service; and so forth.
Of particular concern is the speed at which malicious code can spread throughout a single computer and even a network of computers. Many computers run anti-virus software that can be updated periodically. However, one problem is that only those viruses known prior to the last update are detected. Thus, a new virus may be undetectable. Further, in a network setting, such as a corporate intranet, only some of the computers may be running anti-virus software, while the others remain vulnerable to infection.
The prior art has attempted to remedy these problems by allowing users to send a file that they suspect is infected with malicious code to an administrator at a remote server via electronic mail. The administrator looks at the files and determines if they are infected. If so, the virus signature is identified and added to a DAT file, which is archived and stored. The user must then retrieve the updated DAT file from a general download site once it becomes available, install it, and perform a local virus scan. By then, hours and, more likely, days have passed, in which time the virus has spread.
Other prior art systems have attempted to push scanning software onto the client computer to perform a scan on the client computer. Again, the DAT file has been created prior to the user request. Thus, if the virus signature is not included in the DAT file, the scanning software will not detect the virus.
What is needed is a way to pull or receive a potentially infected file from a client device, create a solution, and send the solution back to the user in real time.